[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 263-1] ruby1.9.1 security update



Package        : ruby1.9.1
Version        : 1.9.2.0-2+deb6u5
CVE ID         : CVE-2012-5371 CVE-2013-0269
Debian Bug     : 693024 700471

Two vulnerabilities were identified in the Ruby language interpreter,
version 1.9.1.

CVE-2012-5371

    Jean-Philippe Aumasson identified that Ruby computed hash values
    without properly restricting the ability to trigger hash collisions
    predictably, allowing context-dependent attackers to cause a denial
    of service (CPU consumption). This is a different vulnerability than
    CVE-2011-4815.

CVE-2013-0269

    Thomas Hollstegge and Ben Murphy found that the JSON gem for Ruby
    allowed remote attackers to cause a denial of service (resource
    consumption) or bypass the mass assignment protection mechanism via
    a crafted JSON document that triggers the creation of arbitrary Ruby
    symbols or certain internal objects.

For the squeeze distribution, theses vulnerabilities have been fixed in
version 1.9.2.0-2+deb6u5 of ruby1.9.1. We recommend that you upgrade
your ruby1.9.1 package.

Attachment: signature.asc
Description: Digital signature


Reply to: